Adam Shostack & friends – Page 2 – Security, privacy, economics and unrelated topics since 2005

2019-12-30 by adam

Echo, Threat Modeling and Privacy

I’m featured in (local NPR Affiliate) KUOW’s Primed: Season 3, Episode 8. I appreciate how the sense of fun that many security people bring to their work comes through. For me, it was fun learning about how Elevation of Privilege works for non-techies. (Spoiler: not super-well, you need to select the cards pretty carefully. Maybe…

2019-12-13 by adam

Star Wars Episode 9 is a week away!

Emily Asher-Perrin has some of the most interesting writing on the Star Wars universe. I like her analysis of where Rey may come from in Rey Should Choose to Adopt the Skywalker Name, Not Be Retconned Into the Family. I half look forward to the day when Disney assimilates her into the official writing team.…

2019-12-11 by adam

Encryption & Privacy Policy and Technology

The Open Technology Institute has an Open Letter to Law Enforcement in the U.S., UK, and Australia: Weak Encryption Puts Billions of Internet Users at Risk. (press release, letter.) I am pleased to be one of the signers. In closely related news, nominations for the 2020 Caspar Bowden Award for Outstanding Research in Privacy Enhancing…

2019-12-07 by adam

Empirical Evaluation of Secure Development Processes

Earlier this year, I helped to organize a workshop at Schloss Dagstuhl on Empirical Evaluation of Secure Development Processes. I think the workshop was a tremendous success, we’ve already seen publications inspired by it, such as Moving Fast and Breaking Things: How to stop crashing more than twice, and I know there’s more forthcoming. I’m…

Over the years, a number of people set up Feedburner accounts to proxy RSS from our blogs into their system. I generally have no issue with people reading how they choose, but I cannot provide support or management. Google is end of lifing the old Feedburner, and for those of you reading via Feedburner RSS, I humbly ask that you update to https://adam.shostack.org/blog/feed/ or https://adam.shostack.org/blog/comments/feed/ (with comments).

2019-12-01 by adam

Books Worth Your Time (Q4)

Cyber The Huawei and Snowden Questions, by Olav Lysne is a deep dive into what happens when an untrusted vendor builds your trusted computing base, and more importantly, why a great many of the “obvious” ways to address those risks are subject to easy work-arounds. This is unhappy news for Huawei, but more importantly, as…

2019-11-30 by adam

The Gavle Goat is up

[Update: The goat survived, for the third year in a row!] For 51 years, the gallant people of Gavle, Sweden, have been putting up a straw goat, and arsonists have been burning it. Apparently, they didn’t have Twitter back then, and needed alternate ways to get into flame wars. Previously: Gavle Goat at Shostack &…

2019-11-26 by adam

Han Solo, Frozen in Carbonite

Apparently, someone was baked at Williams Sonoma.

2019-11-14 by adam

Managed Attribution Threat Modeling

The more I learn about threat modeling, the more I think the toughest part is how we answer the question: “What can go wrong?” Perhaps that’s “finding threats.” Maybe it’s “discovering” or “eliciting” them. Maybe it’s analogizing from threats we know about. I’m not yet even sure what to call it. But what it does…

2019-11-06 by adam

Message Sequence Charts

I was not aware that the ITU had formalized swim lane diagrams into Message Sequence Charts. While you don’t need to use these formalizations, the choices they made, and the comparisons to UML’s diagrams can be interesting, especially if there are tricky corners where you’re having trouble modeling some flow. For example, “They work particularly…